Bug ID 675772: IPsec tunnels fail when traffic-selectors share one IPsec interface mode policy

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1

Fixed In:
16.1.0, 16.0.1.2

Opened: Jul 26, 2017
Severity: 4-Minor

Symptoms

When IPsec tunnels to several different peers are configured using a single ipsec-policy in interface mode, the tunnels will be unreliable or may not start.

Impact

IPsec tunnels may start but fail after a period of time. In other cases, IPsec tunnels may not start at all.

Conditions

Several traffic-selectors that are associated with different tunnels reference the same interface mode IPsec policy. Note: It is not possible to create this configuration when the IPsec policy is tunnel or transport mode.

Workaround

(1) Create a unique ipsec-policy configuration object for each remote peer and traffic-selector. (2) Use tunnel mode. It is not possible to create this configuration when the IPsec policy is tunnel or transport mode.

Fix Information

By design the implementation does not allow ipsec-policy instances to be shared, under interface mode tunnels, because the tunnel IP addresses used by the interface mode tunnel get pushed into the ipsec-policy instance. In effect, they must match. You can select a dummy IP address for the tunnel into the ipsec-policy, but these are ignored and replaced by the IP addresses of the interface mode tunnel at runtime. When an ipsec-policy is shared, it will have the wrong tunnel IP addresses for one or more of the interface mode tunnels.

Behavior Change